Field of the Invention
The present invention relates to a technique of preventing spoofing.
Description of the Related Art
In recent years, the number of systems which can provide various cloud-based services is increasing, and the number of users of such services tends to increase year by year. When using such cloud service, however, the users are most concerned about a security risk. The fact that a cloud server resides on the Internet to be used by anyone from anywhere is the biggest advantage and is also a problem at the same time. In general account management on the cloud server, the cloud server holds the user IDs and passwords of registered users, and determines whether to allow connection with the user of a client by performing user authentication when the client accesses the cloud server. In this case, if a user ID and password are stolen, a malicious third party can spoof the user to access the cloud server, causing personal information leakage.
To solve this problem, a device authentication technique has been provided. This technique prevents spoofing by identifying a device which accesses a cloud server when the device accesses the server to limit connection to that from a specific device. Japanese Patent Laid-Open No. 2009-223387 discloses a technique of rejecting authentication of apparatuses except for a specific apparatus using hardware dedicated to authentication. This technique, however, has a problem associated with cost since dedicated hardware is necessary. Furthermore, as a method of realizing device authentication, a method of performing client authentication using a client certificate and a key pair unique to a device is plausible.
However, there may be a risk even if client authentication is performed using a client certificate and a key pair unique to a device. For example, when both a client certificate and a key pair unique to a device, which are used in authentication, are stolen and attached to another device, the device can undesirably access the cloud server.